Encryption should require an explicit fallback (#1364)

Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
This commit is contained in:
Christian Mesh 2024-03-11 09:24:59 -04:00 committed by GitHub
parent a18e643a8d
commit b052880246
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -126,9 +126,16 @@ func (s *baseEncryption) decrypt(data []byte, validator func([]byte) error) ([]b
// Must have been invalid json payload
return nil, fmt.Errorf("unable to determine data structure during decryption: %w", verr)
}
methods, diags := s.buildTargetMethods(make(map[keyprovider.Addr][]byte))
if diags.HasErrors() {
// This cast to error here is safe as we know that at least one error exists
// This is also quite unlikely to happen as the constructor already has checked this code path
return nil, diags
}
// Yep, it's already decrypted
for target := s.target; target != nil; target = target.Fallback {
if target.Fallback == nil {
for _, method := range methods {
if method == nil {
// fallback allowed
return data, nil
}